An independent researcher alerted about a crypto-stealing campaign in which cybercriminals are using a fake Microsoft DirectX 12 download page. The malware steals cryptocurrency wallets and passwords.
The fake website is complete with a contact form, privacy policy, a disclaimer, and a DMCA infringement page. When users click on the Download buttons, they are redirected to a page that downloads a file with names ‘6080b4_DirectX-12-Down.zip’ [VirusTotal] or ‘6083040a__Disclaimer.zip’ [VirusTotal].
First discovered by security researcher Oliver Hough and reported on Twitter, the malware is an information-stealing script that can exfiltrate a victim’s cookies, files, system information, a list of installed programs, and make screenshots of the Windows desktop.
Bad actors attempt to steal a wide variety of cryptocurrency wallets for Windows software, such as Ledger Live, Electrum, Waves.Exchange, Coinomi, Electron Cash, BTCP Electrum, MultiBit HD, Aomtic, Jaxx, Exodus, and Monero.
According to the researcher, the data is collected into a %Temp% folder. The malware can pack the data in a zip archive and siphon to the attackers. They then can use the data for further malicious activities like identity theft, impersonification, and phishing scams.
Cryptocurrency is increasingly a lucrative target for cybercriminals. Recently, CIM has reported on malware distributors creating fake sites and apps impersonating Trezor App and cracked versions of Microsoft Office and Adobe Photoshop that stole Monero cryptocurrency wallets, and malware drops password- and crypto-stealing Trojans.
One should download software from trusted or developers’ websites. As DirectX is a Microsoft feature, it is recommended to only install it from Microsoft. Users are reminded that downloading it from elsewhere can lead to cyber threats.
